- within Privacy topic(s)
- with Senior Company Executives, HR and Finance and Tax Executives
- with readers working within the Banking & Credit, Insurance and Technology industries
Privacy & Cybersecurity in Canada, the US and the EU
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken with noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group and we will be pleased to assist.
Canada
Call for Comments – Consultation on OPC Guidance Processes
The Office of the Privacy Commissioner of Canada (OPC) provides guidance to help organizations meet their privacy obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA). These materials explain how privacy regulations apply in practice, outline best practices for protection, identify potential risks, and clarify what the regulator expects. To ensure the guidance is as effective and user-friendly as possible, the OPC is currently inviting feedback on its development process, covering everything from format and presentation to content and the consultation approach.
Newest OPC Contributions Program Funding Cycle Targets Projects Focused on Online Gaming
The OPC has launched its 2026-2027 Contributions Program funding cycle with a call for proposals under the theme "Achievement unlocked: protecting privacy while online gaming." Gaming is an integral part of the entertainment landscape with nearly half of Canadian adults and 70% of Canadian teens regularly playing games online. To learn more about the privacy implications of gaming on individuals, the OPC is seeking proposals for projects that will advance knowledge related to the collection and use of personal data in the online gaming sphere.
United States
CISA Launches New Platform to Strengthen Industry Engagement and Collaboration
The Cybersecurity and Infrastructure Security Agency (CISA) has introduced its Industry Engagement Platform (IEP), designed to streamline communication and collaboration between CISA and private sector stakeholders, including vendors, researchers, and academia. The platform aims to simplify engagement processes, foster innovation, and enhance partnerships to address evolving cybersecurity challenges.
European Union
The EDPB Recommendations 2/2025 On the Legal Basis for Requiring the Creation of User Accounts on E-Commerce Websites Are Open for Public Consultation
On e-commerce websites, users are frequently required to create an online account before being able to access offers or purchase goods and services. Controllers generally justify the imposition of account creation for several reasons, such as to perform a sale, enable the subscription to services, grant access to exclusive offers to their users or facilitate the operational management of orders. While controllers in the e-commerce sector may have a commercial interest to require users to set up an account, the European Data Protection Board (EDPB) notes that such account creation may also expose data subjects to additional risks to their rights and freedoms.
In this document, the EDPB provides recommendations to the controllers operating in the e-commerce sector on the conditions under which they may lawfully require their users to create an account. In particular, these recommendations set out examples of situations in which mandatory creation of an account may or may not be necessary. For example, the EDPB finds that imposing the creation of an online user account can be justified only for a very limited set of purposes, such as offering a subscription service or providing access to exclusive offers. Finally, the EDPB notes that this "guest" mode is, in principle, the most privacy-protective option to enable purchases, in line with the obligation of data protection by design and by default.
The EDPB Report on Potential High-Risk AI Systems Across the EU Public Administration
The European Data Protection Supervisor (EDPS) has published its High-Risk AI Systems Mapping Report, offering an overview of how EU institutions currently use AI and identifying which systems may fall under the "high-risk" category of Annex III of the AI Act. While EU bodies increasingly deploy AI tools — with a strong prevalence of generative AI and many additional systems in the development pipeline — the EDPS notes that these technologies can raise significant concerns for individuals' rights and freedoms, particularly when used in sensitive contexts.
In this report, the EDPS provides guidance to EU institutions on how to assess their AI tools, distinguish between ordinary and potential high-risk systems, and understand the maturity and deployment environments of the technologies they use. The document highlights typical characteristics of potential Annex III systems, such as a higher proportion of internal-facing functions, more traditional machine-learning techniques, and limited use of profiling. Finally, the EDPS stresses that many AI tools used by EU bodies remain at early stages of maturity and that careful mapping, documentation, and risk assessment are essential steps toward ensuring compliance with the AI Act.
FAQs on the Cyber Resilience Act
The Cyber Resilience Act (Regulation (EU) 2024/2847) (CRA) establishes rules for the market availability of products with digital elements to ensure their cybersecurity. It sets essential requirements for the design, development, production, and vulnerability management processes of such products. Additionally, the Act outlines obligations for economic operators and provides guidelines for market surveillance and enforcement. This preliminary set of technical Frequently Asked Questions (FAQs), published approximately two years before the entry into application of the CRA, is designed to assist stakeholders in the implementation of the CRA.
GDPR Reform Package
The first General Data Protection Regulation (GDPR) reform package, published in the EU Official Journal on December 12, 2025, is an important step in the ongoing development of EU data protection rules and marks the start of the next phase in the GDPR framework. This Regulation aims to ensure that investigations in cases concerning cross-border processing are carried out in accordance with the principle of good administration, in particular that they are carried out impartially, fairly and within a reasonable time. The handling of complaints and the conduct of investigations in cases concerning cross-border processing includes the determination of whether a case concerns cross-border processing.
In case you missed it!
The Fasken Privacy and Cybersecurity group published the following articles recently, that may be of interest.
- Pseudonymized Data: Key Takeaways from CJEU Decision
- Digital Omnibus Package – Focus on Personal Data Provisions
- AI Compliance FAQ – What Businesses and Developers Need to Know
Awards
Nareg Froundjian, Kayla Lafrenière and Julie Uzan-Naulin have been recognized by the Mondaq Autumn 2025 Thought Leadership Awards in the Data Protection (Canada) category for their bulletin: The Digital Operational Resilience Act (DORA) – How Will it Impact Canadian Businesses?
********************
From all the Fasken Privacy & Cybersecurity team, we wish you a happy holiday season and a happy new year!
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
